Technology Mash-up: Integrating Computer Forensics and Data Analytics

GUEST BLOGGER

Jeremy Clopton, CFE, CPA, ACDA
Senior Managing Consultant, Forensics and Valuation Services, BKD, LLP

A recent Journal of Accountancy article focused on the integration of unstructured data into the risk management process. The authors discussed various ways to use unstructured data proactively for risk management and identification. They also included an eight-step approach to accomplish this goal. Two of the topics from that article, used together, can create an efficient and effective investigation tool. 

In many investigations, computer forensics experts image and obtain data (much of it unstructured) from computers used by individuals who are part of the investigation. Investigations also include the use of data analytics experts for the analysis of transactional data. Utilizing these experts together may help increase the effectiveness and efficiency of investigating the unstructured data. As I mentioned in a previous post, at its core unstructured data is still data and, as such, is analyzed in much the same way as transactional data. 

Text mining is the most common catchall term for the process of analytics related to unstructured data. This is much more than just keyword searches and sorting. Text mining is a family of tools and procedures that, applied collectively, form an impressive investigative toolset and methodology. Some of the functions in the text mining family include:

  • Traditional searching: keyword searches, indexing and traditional computer forensics
  • Topic mapping: automated extraction and analysis of key topics, themes and concepts over time
  • Part of speech tagging: analysis of grammatical structure of communications to assist in identifying tones, entities, individuals and concepts
  • Tone detection: analyzing the sentiment or emotional tone of communications
  • Named entity extraction: identification of key entities and individuals within documents and communications
  • Predictive coding/natural language processing: artificial intelligence-assisted analysis used to identify similar documents and content for more effective review

Leveraging the information gathered during the analysis of unstructured data enhances the analysis of more traditional structured data. For example, take two employees who, through email analysis, are found to consistently discuss a vendor in vague or conspiratorial “tones.” The analyst extracts the vendor name, to/from, date/times and overall emotional tone from that email chain. She then integrates that data into her analysis of purchasing activity, specifically focusing on unusual trends or patterns for that vendor on or around those dates. This process utilizes both the computer forensics and data analytics experts for a more comprehensive analysis. 

While the article in Journal of Accountancy discusses more preventative measures, the principle holds true for investigative measures. Leveraging the unstructured data within an organization can have a profound impact on risk management – both from the preventative and investigative standpoints.

Computer Forensics: Following the Digital Bread Crumbs

GUEST BLOGGER

Phillip Rodokanakis, CFE, EnCE, ACE, DFCP
U.S. Data Forensics, LLC
Herndon, Va.

During the execution of search warrants in the late 1980s and early 1990s, investigators would examine every piece of paper we could get our hands on. We would look at computers, scratch our heads and wonder, “How do we access the digital data they contained?” At the time we had no protocols or tools to retrieve and examine digitally stored data.

Computer forensics was reportedly coined in 1991 at the first training session sponsored by the International Association of Computer Investigative Specialists (IACIS). Since that time, the term has become accepted in the computer security field and the legal profession. Recent technological advances have introduced computing capabilities to all kind of new devices, like PDAs (Personal Digital Assistants), smartphones, iPads, etc. Accordingly, the term digital forensics was introduced to cover all types of digital devices that have become commonplace in our daily lives.

Even though these terms are widely recognized now, they invoke different thoughts as to what this discipline really entails. Some think that computer forensics involves the collection of digital files from computer systems in order to present them in searchable electronic databases. Others believe that they may involve a forensic review of electronic data stored in large databases. So what is computer or digital forensics?

Just like when a fingerprint examiner performs an examination of latent fingerprint impressions found at a crime scene with the goal of linking them to the known fingerprints of a suspect, a digital forensics expert examines computer and digital storage systems to identify relevant evidence that is stored on digital storage devices and which may link a suspect to the case under investigation. In particular, Computer Forensics deals with the acquisition, preservation, identification, extraction, analysis and documentation of digital evidence.

CFEs must familiarize themselves with the type of data that can be obtained from digital forensic examinations. A thorough examination of storage devices by a competent digital forensic examiner may yield evidence that is otherwise unavailable. I have been involved in a number of cases where the digital forensic examination led to finding the “smoking gun” literally in a matter of hours, whereas traditional investigative approaches would have taken months to identify the culprits, if ever.

As trial attorneys rely more and more on proving cases through the introduction of digital evidence, new litigation support technologies and services have evolved. Computer or digital forensics is one such example, where specially trained professionals use basic investigative and IT skills to find evidence that is left behind on digital storage devices. Additionally, the introduction and authentication of digital evidence in a court of law usually requires testimony by an expert witness, meaning that digital forensic examiners must also qualify as expert witnesses.

To learn more about digital forensics, go here.

Electronic Discovery, or eDiscovery, is another example of a technology that has evolved from the use of digital evidence. Want to know more about eDiscovery? Tune in next month.